Secure method for modifying data recorded in a memory card

ABSTRACT

Method for modifying data in a card transaction system including a smart card and a reader capable of reading the card, the card including a non-volatile, erasable and rewritable memory having at least one location to record a data value relating to card transactions. Each transaction results in modification of the data value, the latter being a monotonic function in time. At each transaction, a data value writing operation performs the writing of the new data value (Y) in a first location (B) of two predefined locations in the memory forming a counter, the writing operation erasing the old data value recorded in the second location (A) such that, at the end of the correctly performed writing operation, the first location contains the new data value whilst the second location contains the value zero.

TECHNICAL FIELD

The present invention relates to the systems in which part of the datarecords stored in a smart card is modified when a transaction isperformed with a card reader and relates more particularly to a securemethod for modifying data recorded in a smart card during a transactionwith a reader.

BACKGROUND ART

Smart cards also called chip cards are increasingly used as a carrierfor data associated with the cardholders. These cards includecontactless cards, for which the exchange of information is carried outby contactless electromagnetic coupling between an antenna housed in thecard and an associated reader, which have been developed as access cardsto controlled access zones, or as electronic purses.

In general, smart cards use non-volatile, erasable and rewritable EEPROMor flash EPROM-type memories, such that the data remains written in thememory even when the latter is switched off. They further allow updatingof recorded data by erasing one or several memory locations and writingnew data.

It is possible that, during a transaction, the memory is corrupted dueto an accidental interruption of the power supply generally due to an“abrupt withdrawal” of the card, i.e. the removal thereof before theprocessing operation has ended, which results in the loss of earlierdata without new data being recorded. This risk is particularly greatwith contactless-type cards where the spatial limits within which thecard can function correctly are not perceptible.

There is an added risk in the case of non-volatile EEPROM-type memorieswith which, if a writing operation is interrupted before its normal end,the data may be written nonetheless, and can therefore be read correctlyshortly after the writing operation. However, if this reading isrepeated at a later point, it is not certain that this can be performedcorrectly, as the retention of information in the memory cell will havebeen insufficient as a result of the prematurely interrupted writingoperation.

To ensure data integrity, it is therefore desirable for the cards to beprotected against such risks, by ensuring that the data is either in themodified state, or in the state prior to modification, but never in anundetermined intermediate state resulting from an “abrupt withdrawal”.

For reasons of transaction security, it is essential to restart theentire transaction should a power cut occur during the course of thetransaction, at the risk of irreparably losing sensitive data (forexample the credit balance of an electronic purse) if it is not possibleto begin again from the start of the transaction.

In response to the problem detailed above, the storing of the datarecord in a buffer memory before carrying out its modification has beenconsidered. Once all the modifications have been made to the records tobe modified, the old records are erased from the buffer memory.

Unfortunately, for each record, this method requires a saving operationin the buffer zone, an operation for erasing the record to be modified,a rewriting operation and an operation for erasing the old record in thebuffer zone, giving a total of 4 operations. This operation hastherefore the disadvantage of being time-consuming, which is a majordisadvantage with contactless cards.

Furthermore, the saving of the data in another location in the memorybefore erasing the earlier data requires the presence of a “flag” forindicating that the modification operation has been carried outcorrectly or otherwise according to the flag value. The flag can be asingle bit which takes the value 0 or 1 according to whethermodification has taken place correctly or otherwise. Insofar as it isnot conceivable for obvious reasons to record check bits at the samelocation as the data, the only solution consists in recording the flag(the check bit or bits) in a memory location reserved for this purposeand therefore an entire block of 16 or 32 bits when a single bit or justa few bits are sufficient.

The disadvantages mentioned above take on even more importance when thesmart card is used in certain applications requiring only a low capacitymemory where it becomes imperative not to waste positions in the memoryand wherein the value of the data modified at each transaction is amonotonic function in time. In such applications, the memory data recordis either an increasing counter which increments in time such as forexample a photocopier, or a decreasing counter in the case of a card forpublic transport where the value of the record is decremented by oneunit with every journey, or an electronic purse where the value of therecord can only decrease.

DISCLOSURE OF THE INVENTION

Thus the aim of the invention is to achieve a method for modifying datain a smart card during a transaction which is carried out in a minimumamount of time compatible with the access time to which the card islimited during the transaction.

Another aim of the invention is to achieve a method for modifying datain a smart card of the contactless type which does not require thereservation of check bits (flag) in a memory location.

The object of the invention is therefore a method for modifying the datain a card transaction system including a smart card or the like and areader capable of reading the card when it is in a determined positionin relation to the reader, the card including a non-volatile, erasableand rewritable memory comprising at least one location to record a datavalue relating to the transactions performed by the card, eachtransaction resulting in the modification of the data value, the latterbeing a monotonic function in time. At each transaction, a data valuewriting operation performs the writing of the new data value in a firstlocation of two predefined locations forming a counter in the memory,the writing operation performing the erasing of the old data valuerecorded in the second location such that, at the end of the correctlyperformed writing operation, the first location contains the new datavalue whereas the second location contains the value zero.

BRIEF DESCRIPTION OF THE DRAWINGS

The aims, objectives and characteristics of the invention will becomemore clearly apparent on reading the following description withreference to the drawings in which:

FIG. 1 is a schematic representation of the memory of a smart card inwhich the method according to the invention is implemented,

FIG. 2 is a schematic representation of the content of the two-tiercounter of the memory for each phase of the writing operation,

FIG. 3 is a schematic representation of the two-tier counter of thesmart card for each phase of the rewriting operation in a firstsituation after abrupt withdrawal,

FIG. 4 is a schematic representation of the two-tier counter of thesmart card for each phase of the rewriting operation in a secondsituation after abrupt withdrawal,

FIG. 5 is a schematic representation of the two-tier counter of thesmart card for each phase of the rewriting operation in a thirdsituation after abrupt withdrawal,

FIG. 6 is a schematic representation of the two-tier counter of thesmart card for each phase of the rewriting operation in a fourthsituation after abrupt withdrawal, and

FIG. 7 is a schematic representation of the two-tier counter of thesmart card for each phase of the rewriting operation in a fifthsituation after abrupt withdrawal.

DETAILED DESCRIPTION OF THE INVENTION

In a chip card of the type with a wired logic memory used inapplications requiring a little amount of memory, the memory locationsare limited. Thus, the memory of a chip card such as illustrated in FIG.1 is an EEPROM-type memory having a capacity of 32 16-bit words. Theinvention described below allows for the omission of a check zone in thememory requiring the reservation of an entire word. For this, two memorylocations forming a two-tier counter (tier A, tier B) are reserved atthe recording of the new data value at each transaction carried outbetween the reader and the smart card.

The principles of the invention are advantageously used in all of theapplications where the data value modified at each transaction is amonotonic function in time. In some cases (for example a card used tomake photocopies), the recorded value is incremented while in otherapplications such as access to controlled access zones or the electronicpurse, the data value decreases. However, it is preferable to incrementrather than decrement the counter. As a matter of fact, when there is anabrupt withdrawal, the risk is that there is not a correct retention ofthe bits which have been written in the memory. In this case, therecorded value can decrease because each bit 1 can switch back to 0. Ifa decrementation is used, with the incorrectly written value decreasing,the decrease thereof constitutes a risk to the cardholder insofar as itis not possible to know if the value in the memory is the result of anormal decrementation or an abnormal decrease of the memory content.Conversely, when incrementation is used, the decrease of the memorypresents no risk insofar as the value to be considered is the precedingvalue before incrementation when there is a decrease of the incorrectlyrecorded value subsequent to an abrupt withdrawal.

In the case of a decrementation, it is easy to consider each time thebinary two's complement of the data value. Thus, in the following, thedata value is incremented at each transaction, irrespective of theapplication in question.

The method according to the invention consists in recording the new datavalue which was the object of the modification in the tier of thecounter that contained the value 0 and erasing the other tier of thecounter to set its value at 0. These two phases which cannot bereversed, are triggered by an instruction to write the new value fromthe reader at the time of the transaction.

FIG. 2 illustrates the normal course of the operations. At thebeginning, the reading of the counter makes value X appear in tier A andvalue 0 in tier B. The writing instruction then performs the writing ofthe new value Y in tier B, then the erasing of value X from tier A.Thus, the counter is incremented in one instruction.

Unfortunately, an abrupt withdrawal of the card can occur during thetransaction, in particular when the chip card is a contactless card. Inthis case the writing operation does not proceed correctly and eitherthe writing of the new value has not been performed correctly, or theold value has not been erased. In this case, the transaction does notsucceed or is not validated. The result of this can be that the openingof a gate providing access to a controlled access zone is not authorisedor that a purchase by a retail terminal in the case of an electronicpurse is not permitted.

The cardholder therefore restarts the operation consisting in passinghis/her card in or in front of a reader. It first performs the readingof the counter which indicates that neither of the two tiers of thecounter is at the value 0. It deduces immediately therefrom that therehas been an abrupt withdrawal and therefore performs the repairing ofthe counter as described below.

FIGS. 3 to 7 illustrate the counter repair operations when there hasbeen an abrupt withdrawal depending on whether this abrupt withdrawalhas occurred during the writing phase, between the writing and erasingphases or during the erasing phase.

In a first situation illustrated by FIG. 3, the abrupt withdrawal hastaken place during the writing phase, the value Y has been written butthe value X has not been erased. In this case, and although the value Yis correct, it is not possible to guarantee the retention of this valuein tier B. The value Y is therefore rewritten before performing theerasing of the value X from tier A to set it at 0. It is to be notedthat the writing of a memory location is an OR function between thevalue which is located there and the new value and that consequently, anew value can only be written if the old value is equal to 0 oridentical to the new value (which is the case here).

In a second situation illustrated in FIG. 4, the abrupt withdrawal hastaken place during the writing phase, a value Y′ between X and Y hasbeen written in tier B and the value X has not been erased from tier A.In this case, a first writing operation performs the rewriting of Y′ intier B and the erasing of X from tier A. Then, a writing operationperforms the writing of Y in tier A and the erasing of Y′ from tier B,such that the counter is again in a normal situation where one tiercontains the new value and the other tier is at 0.

In a third situation illustrated in FIG. 5, the abrupt withdrawal hastaken place during the writing phase, a value Y′ less than X has beenwritten in tier B and the value X has not been erased. In this case, afirst rewriting operation performs the rewriting of the value X in tierA and the erasing of Y′ from tier B. This is justified by the fact thatthe repair of the counter is always carried out with the highest valuewhich is, in this instance, the value X. Then, a writing operationperforms the writing of the value Y in tier B and the erasing of X fromtier A.

In a fourth situation illustrated in FIG. 6, the abrupt withdrawal hastaken place between the writing phase and the erasing phase, the value Yhas been recorded in tier B but the value X has not been erased fromtier A. As the retention of the value Y cannot be guaranteed, arewriting operation performs the rewriting of the value Y in tier B andthe erasing of the value X from tier A.

In a fifth situation illustrated in FIG. 7, the abrupt withdrawal hastaken place during the erasing phase, the value Y has been written intier B but the value X has not been correctly erased and a value X′ isfound in tier A. It is therefore necessary to perform a rewritingoperation of the value Y in tier B which therefore allows the erasing ofthe value X′ from tier A.

In all of the situations which have just been described, the repair ofthe counter was undertaken because neither of the two tiers containedthe value 0, and after repair, one of the two tiers contains the newdata value whilst the other tier contains 0. It is to be noted that inno situation is the counter again in a state where the maximum valuefound in tier A or tier B is less than the old value (X).

1-10. (canceled)
 11. A method for modifying the data in a cardtransaction system including a smart card or the like and a readercapable of reading said card when it is in a determined position inrelation to said reader, said card including a non-volatile, erasableand rewritable memory comprising at least one location to record a datavalue relating to the transactions carried out by said card, eachtransaction causing the incrementation of said data value; said methodcomprising, at each transaction, an operation for writing said datavalue performs the writing of the new data value (Y) in a first location(B) which contains the value zero among two predefined locations forminga counter in said memory, said writing operation performing the erasingof the old data value (X) recorded in the second location (A) of saidtwo locations such that, at the end of the writing operation, said firstlocation contains said new data value whilst said second locationcontains the value zero if this writing operation was performedcorrectly, or none of the two locations in said counter contains thevalue zero if said writing operation has not been performed correctly asa result of an abrupt withdrawal of said card in the course of thetransaction.
 12. The method according to claim 11, further including arepair of said counter by a rewriting operation comprising rewritingsaid new value (Y) in said first location (B) and erasing said old value(X) from said second location (A) when the abrupt withdrawal has takenplace during the writing phase of said new value.
 13. The methodaccording to claim 11, further including, when said first location (B)contains an incorrect value (Y′) between said old data value (X) andsaid new data value (Y), a repair of said counter by a rewritingoperation comprising rewriting said incorrect value in said firstlocation and erasing said old value from said second location, followedby a writing operation comprising writing said new value in said secondlocation (A) and erasing said incorrect value from said first location.14. The method according to claim 11, further including, when said firstlocation (B) contains an incorrect data value (Y′) which is less thansaid old value (X), a repair of said counter by a rewriting operationcomprising rewriting said old data value (X) in said second location (A)and erasing said incorrect data value, followed by a writing operation,comprising writing said new data value (y) in said first location anderasing said old data value from said second location.
 15. The methodaccording to claim 11, further including a repair of said counter by arewriting operation comprising rewriting said new data value (Y) in saidfirst location (B) and erasing said old data value (X) from said secondlocation (A) when the abrupt withdrawal has taken place between thewriting phase of said new data value and the erasing phase of said olddata value.
 16. The method according to claim 11, further including,when the abrupt withdrawal has taken place during the erasing phase ofsaid old data value (X) and an incorrect data value (X′) is recorded insaid second location (A), a repair of said counter by a rewritingoperation comprising rewriting said new data value (Y) in said firstlocation (B) and erasing said incorrect data value from said secondlocation.
 17. A card transaction system including a smart card or thelike and a reader capable of reading said card when it is in adetermined position in relation to the reader, said card including anon-volatile, erasable and rewritable memory comprising at least onelocation to record a data value relating to the transactions carried outby said card, each transaction causing the incrementation of said datavalue; said system comprising a memory which includes a predefined firstlocation and a predefined second location, forming a counter, eachtransaction resulting in a writing instruction performing the writing ofa new data value (Y) in that location from said locations (B) whichcontains the value zero and the erasing of the old data value (X) in theother location (A), such that, at the end of the writing operation, saidfirst location contains said new data value whilst said second locationcontains the value zero if this writing operation was performedcorrectly, or none of the two locations in said counter contains thevalue zero if said writing operation has not been performed correctly asa result of an abrupt withdrawal of said card in the course of thetransaction.
 18. The system according to claim 17, wherein said smartcard is a contactless card.